[cfe-dev] Strange null deref from static analyzer

Morrell, Michael michael.morrell at intel.com
Wed Oct 9 12:38:03 PDT 2013


[Previously posted to cfe-users with no response, so trying here]

With the following code:

=================================
#include <stdlib.h>

extern bool x, y, z;

void foo(uint16_t *p)
{
   uint16_t *px = NULL, *py = NULL, *pz = NULL;

   if (x) {
       px = p;
       p += 32;
   }

   if (y) {
       py = p;
       p += 32;
   }

   if (z)
       pz = p;

   if (px != NULL)
       px[0] = 0;
   if (py != NULL)
       py[0] = 0;
   if (pz != NULL)
       pz[0] = 0;
=================================

Running:

 checker-275/libexec/c++-analyzer -c foo.cpp gives:


foo.cpp:25:15: warning: Array access (from variable 'py') results in a null pointer dereference
       py[0] = 0;
       ~~    ^
foo.cpp:27:15: warning: Array access (from variable 'pz') results in a null pointer dereference
       pz[0] = 0;
       ~~    ^
2 warnings generated.

All variables are checked for NULL right before the deference.  It is OK with "px", but not "py" or "pz".

As an aside, running "scan-build c++ -c foo.cpp" says there are no bugs.   I don't know why that would be different.

Should I just file a bug for this?

 Michael



More information about the cfe-dev mailing list